Skip to site navigation (Press enter)

[webkit-changes] [192078] trunk/Source/JavaScriptCore

commit-queue Thu, 05 Nov 2015 14:21:53 -0800

Title: [192078] trunk/Source/_javascript_Core

Revision: 192078
Author: [email protected]
Date: 2015-11-05 14:21:19 -0800 (Thu, 05 Nov 2015)

Log Message

Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG
https://bugs.webkit.org/show_bug.cgi?id=150902


Patch by Aleksandr Skachkov <[email protected]> on 2015-11-05
Reviewed by Geoffrey Garen.

Tiny fix provided by Saam Barati. This fix prevent segfault error in arrow function,
when it uses in constructor of derived class, before 'super' is called.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (192077 => 192078)


--- trunk/Source/_javascript_Core/ChangeLog	2015-11-05 22:17:50 UTC (rev 192077)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-11-05 22:21:19 UTC (rev 192078)
@@ -1,3 +1,16 @@
+2015-11-05  Aleksandr Skachkov  <[email protected]>
+
+        Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=150902
+
+        Reviewed by Geoffrey Garen.
+
+        Tiny fix provided by Saam Barati. This fix prevent segfault error in arrow function, 
+        when it uses in constructor of derived class, before 'super' is called.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2015-11-05  Filip Pizlo  <[email protected]>
 
         B3->Air lowering should have a story for compare-branch fusion

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (192077 => 192078)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-11-05 22:17:50 UTC (rev 192077)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-11-05 22:21:19 UTC (rev 192078)
@@ -1825,7 +1825,7 @@
             setConstant(node, *m_graph.freeze(value));
             break;
         }
-        forNode(node).makeHeapTop();
+        forNode(node).makeBytecodeTop();
         break;
             
     case PutClosureVar:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes